Many thanks to Andrew Nacin for his responsible disclosure of the XSS issue to the BuddyPress team. As a reminder to the community: if you think you’ve found a security issue in BuddyPress, please practice proper disclosure procedure, and report issues directly to the BP development team (or to security [at] wordpress.org).